Get answers, ideas, and support from the Apigee Community

Why cache when token database exists?

I am new to Apigee and am working through an OAuth client credentials design. One piece that is not clear to me is an appropriate way for Edge to take an opaque access token that it has received from the client and look up the JWT associated with that token. I see that this is a scenario in "Short-term general purpose caching":

However, I've also seen mention of a token database inside of Apigee Edge. I see that I can retrieve the data from the JWT using the access token, but I would like to get the whole token so that it can be passed to microservices, who use that JWT.

What is the correct way to go here? I've searched around quite a bit and haven't found this scenario used, which makes me think that I've got something wrong.

Really there's just one case that is tricky - and that is.... what do you do with a JWT, that is stored as a custom attribute on an opaque token, if the JWT expires before the opaque token expires? And that's up to you, to decide.

I'll give you an example to consider. To use Google's APIs for Drive and Stackdriver and BigQuery, a client app needs to obtain an opaque oauth access token. To obtain the token, the client needs to generate a self-signed JWT, an ID token. Google's oauth endpoint requires that the ID token passed in a request-for-token must expire within 5 minutes. But the returned access token lasts for an hour.

I have no idea whether Google "stores" the original JWT . That's not the point. The point is to illustrate a case in which it makes sense for a short-lived JWT to be used in generating a longer-lived opaque oauth token.

If you want to synchronize the lifetimes, you can set the ExpiresIn in the OAuthV2/GenerateAccessToken policy to refer to a variable, which you compute based on the expiry of the JWT. The VerifyJWT policy will set a seconds_remaining variable. That value isn't directly appropriate for the ExpiresIn in the OAuthV2/GenerateAccessToken policy, because (maddeningly) ExpiresIn is expressed in MILLIseconds. So you'd need a JS script to multiply by 1000, to get the right number.